Privacy and Woebot Health

Effective Date: April 28, 2022

Privacy Policy Overview

We take your privacy very seriously. Our full Privacy Policy is below, and it includes contact details as well as information about how we process data, your rights, our beliefs, and legal requirements. In case it’s a lot for you to read through, here are five things we definitely want you to know:

  1. We’re intentional about the data we collect, and it’s always with the goal to deliver an experience that helps you. We collect data: directly from you, like your email address to get in touch or your age for content recommendations; passively, such as your general app usage to improve Woebot; from program partners like payors, providers, or your employer, to verify eligibility. Our systems are designed such that the data we collect and hold internally is only available to Woebot Health team members when it’s absolutely necessary for their job.

  2. What you write to Woebot, and the transcripts of your conversations with Woebot, are never shared with any third-party (except to ensure your safety and those of your loved ones). 
  1. We never, ever sell or share your data with advertisers.

  2. The data we do share is with specific purpose and intent. We uphold transparency and inform you with as much information as possible on how your data is processed. We share data with service providers who make the Woebot app work; research or partners as part of a Special Program you choose to be a part of; or to comply with law enforcement or national security requests. Please see “Sharing of Personal Data with Third Parties” below for details on how information is shared with third parties for general use of Woebot and “Disclosures to Third Parties for Special Programs”​ below for details on programs in employer, clinical or research settings. Here are examples of how data is shared in those instances:

    • General app usage: we may share general app usage information with our service providers who make the Woebot app work or to comply with law enforcement or national security requests.
    • In an employer setting: we may share usage information about the services in a de-identified and aggregate manner with the program partner.
    • In a clinical setting: we may share with the program partner clinically relevant data points if required as part of your care, such as the time of day you spoke to Woebot or which therapeutic tool Woebot guided you through.
    • In a research setting: what we may share is clearly identified during participant consent.
  3. You have rights to your data. Anyone can access, correct, delete or restrict their data. You can share as much or as little as you like, and you can opt out of emails, texts or push notifications.

Privacy is complex, and the types of data available online continue to evolve, but know this: while we may evolve our policies, the commitments we’ve outlined above will never change. 

Please reach out anytime with questions, comments, concerns or ideas at privacy@woebothealth.com

Now, here are the full, all inclusive details.

Introduction​

Woebot Health (“Woebot”, “us”, “we” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy describes how we collect, store, use and distribute personal data through our software, website, mobile application (“App”), documentation, and related services (together, the “Services”).

In this Privacy Policy, references to “you” means the person whose personal data we collect, use and process. Please read this Privacy Policy carefully to understand our treatment and use of personal data.

We will use your personal data only for the purposes and in the manner outlined below, and in compliance with applicable laws.

Please note that by using the Services, you acknowledge that you have read and understand this Privacy Policy.

All Woebot Platforms

When you create a user account, you will be asked to provide an email address and password so that we can identify you across devices and comply with any potential request to delete or access your data. We may also ask for a referral or access code, which we may use to track your participation in special programs, described in more detail below. On certain versions of the Services, you may be able to skip account creation and create an account locally on your device: note that without an account, you will not be able to recover your data or log in on a different device.

iOS and Android apps

We use your email to create a user account. We use your time zone to personalize the experience.

Identity of the Controller of Personal Information

The data controller for the Services is Woebot Health, a company registered in the United States and having its registered office address at 1460 Mission Street, San Francisco CA 94103.

Contact Details of the Data Protections Officer / Representative​

Woebot’s Data Protection Officer can be contacted at:

Email Address: privacy@woebothealth.com Address: 1460 Mission St, San Francisco, CA 94103

When Does this Privacy Policy Apply?​

The Privacy Policy applies to personal data that we collect, use, and otherwise process about you in connection with your use of the Services.

Processing of Your Personal Data

How and why do we process your personal data?

When you use the Services, we may collect and process different personal data about you. The personal data we process, the basis of processing and the purposes of processing are detailed below. Sometimes, these activities are carried out by third parties (see “Sharing of Personal Data with Third Parties” section below).

We encourage you to supply only the information you are comfortable with.

Personal data Legal basis of processing Purpose of processing
Account information:
Personal data (which may include your name and other similar personal data you provide to us), password, referral or access code for participation in special programs, and email address.
Some of this data may be considered “Protected Health Information” under the Health Insurance Portability and Accountability Act. 		-Contractual necessity
-Consent 		 This is required to provide the Services, to maintain our customer/visitor lists, to respond to your inquiries or provide feedback, for identification and authentication purposes, for service improvement, and to address issues like malicious use of the Services.
Your communications with us:
Your email address, full name, platform, operating system version, communications with us, and any attachments you submit via our help portal, such as an optional profile photo or phone number. 		-Contractual necessity
-Consent
-Legitimate interest		 We collect this information when you request information about our services, register for our newsletter, request customer or technical support, or otherwise communicate with us. You can unsubscribe from communications, including the newsletter at any time by clicking the unsubscribe link in each email or by contacting us via the methods described in “Contact Us” below.
Participation and Assessment data:
Participation data, responses to assessments, S.O.S. triggers, measures and satisfaction surveys.
Some of this data may be considered “Protected Health Information” under the Health Insurance Portability and Accountability Act. 		-Contractual necessity
-Consent
-Legitimate interest		 We collect this information to enable us to administer and improve our Services to you.
We may also collect this information to fulfill participation in Special Programs as described in “Disclosures to Third Parties for Special Programs​” below. 
Conversation data:
Text, graphics, video, or messages you generate through your interactions with Woebot. 		 -Contractual necessity
-Consent
-Legitimate interest		 We collect this information to enable us to administer and improve our Services to you.
Hardware Diagnostic and login information:
Crash reports, along with logging information from your system documenting the error.Information regarding your operating system version, hardware, browser version (and .NET version information in case of Windows systems), and your email address, if provided.
Additionally, certain login information may be maintained in a cookie stored locally on your device in order to streamline the login process. 		-Contractual necessity
-Legitimate interest		 We collect this information to enable us to administer and improve our Services to you.
Your use of our Services:
Analytics information collected through the use of cookies, log files, pixel tags and web beacons (“Technologies”) or while using the Servicers. Such information may include standard information regarding your mobile device, browser type, browser language, operating system, Internet Protocol address, and the actions you take on our website, such as the web pages viewed and the links clicked. 		-Contractual necessity
-Legitimate interest		 We collect this information to enable us to administer and improve our Services. We may also use your Analytics Information in conjunction with an analytics service such as Google Analytics to monitor and analyze use of the Services, for the Services’ technical administration, to increase the Services’ functionality and user-friendliness, and to verify users have the authorization needed for the Services to process their requests.
Product surveys, promotional activities and social media content. -Contractual necessity
-Consent
-Legitimate interest		 Within or outside the App, we may offer the ability to participate in surveys or run sweepstakes or contests to promote the Services. Contact information you provide may be used to reach you about the sweepstakes or contest and for other promotional, marketing and business purposes, as permitted by law. In some jurisdictions, we are required to publicly share information about winners. We may offer forums, blogs, or social media pages. Any content you provide on these channels will be considered “public” and is not subject to the privacy protections referenced herein. Please exercise caution before revealing any information that may identify you in the real world to other users.

Our uses of the aforementioned Technologies fall into the following general categories:  

  • Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity and improve security or that allow you to make use of our functionality;
  • Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see “Analytics Vendors” above);
  • Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
  • Advertising- or Targeting-Related. We may use first party or third-party Technologies to deliver Woebot relevant content, including ads relevant to your interests, on our Services or on third-party websites.

See “Your Rights” below to understand your choices regarding these Technologies.

Information from Other Sources

We may obtain information about you from other sources, including through third party services and organizations to supplement information provided by you. For example, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings. This supplemental information allows us to verify information that you have provided to us and to enhance our ability to provide you with the Services and information about our business and products.

Analytics Vendors

We may also use Google Analytics, and other service providers to collect information regarding visitor behavior and visitor demographics on our Services.

For more information about Google Analytics, please visit Google Privacy. You can opt out of Google’s collection and processing of data generated by your use of our website by clicking this link: Opt-Out of Google Analytics

Social Media Platforms

Our Services may contain social media buttons that might include widgets such as the “Share Woebot” button. These features may collect your IP address, which page you are visiting on our Services, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.

Use of De-identified and Aggregated Information

We may use personal data and other data about you to create de-identified and aggregated information, such as general location information, information about the computer or device from which you access our Services, or other analyses we create. We may share this information with the parties listed in “Sharing of Personal Data with Third Parties” below or as required or permitted by applicable law.

Where does Woebot Obtain my Personal Data From?​

Most of the personal data we process is obtained from you when, through the application you register for a Woebot account and exchange messages with Woebot. Other types of personal data may be obtained from third parties (such as Google Analytics) to enrich and continuously improve the user experience.

Sharing of Personal Data with Third Parties

We do not share your personal data with third parties, except as provided below.

1. Service Providers

We use third party service providers who provide technical and support services to help us provide and improve the product and Services. In providing the Services, these third party service providers may have limited and controlled access to databases of user information or registered member information solely for the purpose of helping us to improve the product and they will be subject to contractual restrictions prohibiting them from using the personal data of our members for any other purpose.

2. Disclosures to Third Parties for Special Programs​

We partner with Program Partners in Special Programs to conduct studies or provide services with the Program Partner’s offerings. Program Partners may include your employer, hospital, or care physician, certification authorities, or other medical and academic partners. If you participate in a special program, we will not share your Conversation Data as defined under Personal Data with Woebot to a program partner. 

What we may share:

  • In an Employer setting, we may share with the program partner usage information about the Services, such as statistical usage information and the outcome of participation in the program (as measured, for example, by survey responses, engagement and satisfaction metrics) in a de-identified and aggregate manner. 
  • In a Clinical setting, we may share clinically relevant data with the program partner if required as part of your care. This could include usage information about the Services, such as statistical usage information, and the outcome of your participation in the program (as measured, for example, by your survey responses, engagement and satisfaction metrics).
  • In a Research setting, what we may share is clearly identified during participant consent. 

Note that your participation in special programs may be governed by terms outside of this Privacy Policy. Please contact the Program Partner for additional information on their Privacy Policy and Terms of Service.

3. Disclosure to Other Third Parties​

In certain circumstances, we share and/or are obliged to share your personal data with third parties in accordance with applicable law, including if we, in good faith, believe doing so is required or appropriate to comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; assist with an investigation or prosecution of suspected or actual illegal activity or as otherwise allowed under applicable law.

These third parties include:

  • administrative authorities (tax or social security authorities)
  • financial institutions
  • insurance companies
  • police, public prosecutors, regulators
  • external advisors

We may also disclose your personal data in connection with a corporate reorganization, a merger or amalgamation with another entity, a sale of all or a substantial portion of our assets or stock, including any due diligence exercise carried out in relation to the same, provided that the information disclosed continues to be used for the purposes permitted by this Privacy Policy by the entity acquiring the information.

Transfer Outside the European Economic Area, Switzerland, or the UK

Your personal data may be transferred, stored and processed in one or more countries outside of the country you reside or are currently located. In the European Economic Area (“EEA”), Switzerland, or the UK, for example, when one of our service providers uses employees or equipment based outside the EEA or UK. For transfers of your personal data to third parties outside of the country you reside or are currently located, we take additional steps consistent with applicable law. We endeavor to put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will endeavor to establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.

If you would like to see a copy of any relevant provisions, please contact Woebot’s Data Protection Officer / Representative (see “Contact Us” section below).

How is My Personal Data Secured​?

Woebot operates and uses appropriate technical and physical security measures to protect your personal data.

We have, in particular, taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Some examples of our security standards include:

  • We adhere to hospital-level security policies and procedures to protect sensitive user data.
  • We build security into the architectural design of the product by reducing the public and digital footprint, using the benefits of cloud-enabled infrastructure and security by design, such as serverless computing and automatic scaling. All data is encrypted at rest and in-transit.
  • We secure sensitive data in the product, such as protected health information (PHI) and personal identifying information (PII), in a dedicated environment to ensure segregation and clear access control.
  • We endeavor to maintain controlled access into our critical infrastructure through technical network controls, multi-factor authentication and by applying deny-all/allow-by-exception concept whenever possible.
  • We test the security of our design by performing and remediating findings of penetration tests, vulnerability assessments, internal compliance reviews and more.
  • We support business resiliency by proactively planning for issues and regularly testing our Business Continuity, Disaster Recovery and Incident Response Plans.
  • Access is only granted on a need-to-know basis to those people whose roles require them to process your personal data.

You are also responsible for helping to protect the security of your personal data. For instance, safeguard your email, password and personal credentials when you are using the Services, so that other people will not have access to your personal data. 

Furthermore, you are responsible for maintaining the security of any device on which you utilize the Services. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any personal data you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unintentional disclosure.

Storage of Personal Data​

We will keep your personal data for as long as it is necessary to fulfill the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations.

If you would like further information about our data retention practices you can ask for this at any time (see “Contact Us” section below).

Your Rights

You may have various rights under data protection legislation in your country (where applicable).

These may include (as relevant):

  1. The right of access enables you to check what type of personal data we hold about you and what we do with that personal data and to receive a copy of this personal data;
  2. The right to rectification enables you to correct any inaccurate or incomplete personal data that we hold about you;
  3. The right to erasure enables you to request that we erase personal data held about you in certain circumstances;
  4. The right to restrict or object to processing of your personal data by us in certain cases, including if you believe that the personal data held about you is inaccurate or our use of the personal data is unlawful; and
  5. The right to data portability enables you to receive your personal data in a structured, commonly used and machine readable format and to have that personal data transmitted to another data controller.
  6. The right to receive confidential communications containing your Protected Health Information by alternative means, such as requesting that we contact you at a different email address or phone number;
  7. The right to receive an accounting of disclosures we have made of your Protected Health Information for a specified time period;
  8. The right to name a personal representative;
  9. The right to withdraw your consent; and
  10. The right to receive a paper copy of this Privacy Policy.

We will process your request in accordance with applicable laws. Note that we will require you to take steps to verify your identity in accordance with applicable law.

If you wish to exercise any of the above rights, please contact us (see “Contact Us” below).

For Android and iOS Apps​

To request your data, you can contact support in the Settings section of the app or by emailing support@woebothealth.com from the email address you used to register with the app. After verifying the legitimacy of the request, you will be sent an email that contains a .zip file containing your personal data files.

Supplemental California Privacy Notice

This Supplemental California Privacy Notice only applies to our processing of personal data that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal data Woebot has collected about them and whether Woebot disclosed that personal data for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:

Category of Personal Data Collected by Woebot Categories of Third Parties Personal Data is Disclosed to for a Business Purpose
Identifiers ●     Service providers
●     Advertising partners
Personal information categories listed in Cal. Civ. Code § 1798.80(e) ●     Service providers
Protected classification characteristics under California or federal law ●     Service providers
Commercial information ●     Service providers
Internet or other electronic network activity ●     Service providers
●     Advertising partners
Professional or employment-related information ●     Service providers
Inferences drawn from other personal information to create a profile about a consumer ●     Service providers

The categories of sources from which we collect personal data and our business and commercial purposes for using personal data are set forth above.

Additional Privacy Rights for California Residents

“Sales” of Personal Data under the CCPA. For purposes of the CCPA, Woebot does not “sell” personal data, nor do we have actual knowledge of any “sale” of personal data of minors under 16 years of age.

Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.

Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal data. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact us as set forth in “Contact Us” below.

Verification. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal data or an authorized representative, which may include confirming the email address associated with any personal data we have about you.

Accessibility. This Privacy Policy uses industry-standard technologies and was developed in line with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.

Right for Minors to Remove Posted Content. Where required by law, residents under the age of 18 may request to have their posted content or information removed from the publicly-viewable portions of the Services by contacting us directly as set forth in the “Contact Us” section below. Please note that any such removal of posted content does not ensure complete or comprehensive removal of the content or information posted on our Service; for example, the content may not be viewable to certain users while it still remains on our servers in some form.

Restricted Advertisements to Minors. We shall not knowingly use, disclose, compile, or allow a third party to use, disclose or compile, the personal information of an individual under the age of 18 with actual knowledge that the use, disclosure, or compilation is for the purpose of marketing or advertising products or services that are included in the list of restricted products as set forth and defined in the CA BPC 22580(i): alcoholic beverages; firearms or handguns; ammunition or reloaded ammunition; handgun safety certificates; aerosol containers of paint; etching cream; tobacco, cigarette or cigarette papers or blunt wraps or any other preparation of tobacco or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco or any controlled substance; cannabis, cannabis product, cannabis business or any instrument or paraphernalia that is designed for the smoking or ingestion of cannabis or cannabis products; BB device; dangerous fireworks; tanning in an ultraviolet tanning device; dietary supplement products containing ephedrine group alkaloids; tickets or shares in a lottery game; Salvia divinorum or Salvinorin A; body branding; permanent tattoo; drug paraphernalia; electronic cigarette; obscene matter; or a less lethal weapon. 

If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

Email Communications

If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to our Terms or this Privacy Policy).

We process requests to be placed on do-not-mail, do-not-phone, and do-not-contact lists as required by applicable law.

Text Messages

You may opt out of receiving text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us.

Mobile Devices

We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device.

“Do not Track”

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

Cookies and Interest-Based Advertising

You may stop or restrict the placement of some of the technologies we use (e.g., cookies) on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS and others.

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada.

Please note you must separately opt out in each browser and on each device.

For more information on how we, our partners, and users of our services deploy cookies, as well as the options you have to control them, please see the Cookie Policy.

Children’s Information

The Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect personal data from children. If you learn that your child has provided us with personal data without your consent, you may contact us as set forth in “Contact Us” below. If we learn that we have collected any personal data in violation of applicable law, we will promptly take steps to delete such personal data, unless we have a legal obligation to keep it, and terminate the child’s account. 

Third-Party Websites/Applications

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal data to third-party websites or applications is at your own risk.

Your Right to Lodge a Complaint with a Supervisory Authority​

If you are unhappy about any aspect of the way we collect, share or use your personal data, please let us know using the contact details below. If you are located in the European Economic Area, Switzerland, or the United Kingdom, you also have a right to complain to your local Data Protection Authority if you prefer. Contact details for Data Protection Authorities in the EU are available at Data Protection.

Changes to This Policy​

We may need to make changes to this Privacy Policy at any time. If we make any material changes to how we collect your personal data, or how we use or share it, we will post or provide appropriate notice in accordance with applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect.

In order to ensure fairness of the processing, we encourage you to review the content of this Privacy Policy regularly.

Contact Us​

For further information, to exercise your rights, or if you have any questions or queries about this Privacy Policy, please contact Woebot’s Data Protection Officer:

email: privacy@woebothealth.com
postal: 1460 Mission St, San Francisco, CA 94103

Archived Versions of the Privacy Policy

  1. July 14, 2021
  2. April 23, 2020